Over the last two and a half years of the Department of Defense Cybersecurity Maturity Model Certification The program, known as CMMC, has undergone several changes, organizational shifts, revisions and updates. Now, DOD officials expect to include CMMC requirements in federal contracts as early as May 2023 — but there’s still work to be done in the meantime.
CMMC is currently going through a lengthy rulemaking process. Stacy BostjanickDirector of CMMC policy for the Department of Defense said part of the reason the process is being held up is an adjustment to the program’s rulemaking requirements.
Originally, CMMC was intended to be an amendment to the Defense Federal Acquisition Regulation—but upon further review, it was determined that CMMC would need to go through a different Code of Federal Regulations rulemaking process to become a formal program.
February 2022 was the CMMC program rolled under the responsibility of the DOD Chief Information Officer and winner of the Wash100 award John Sherman, Relocation from the Office of the Undersecretary for Procurement and Conservation. The move has “extended” the program’s timeline and required additional rulemaking activities, but overall, Bostjanick said the extra work might not be a bad thing.
“I think codifying CMMC as a program in the 32 CFR rule makes it a stronger program and frankly gives it a longer lifespan,” Bostjanick said during the Potomac Officers Club 2022 CMMC Forum. “So the changes have been good,” Bostjanick shared, noting that the importance of the program and the changes it will bring to the industry are worth the extra effort.
“The team is currently working very hard to finalize all of our rules text,” said Bostjanick. Next, Bostjanick said the rules text will go to the Office of Management and Budget, where it will undergo “several reviews.”
“If we have our filing completed and submitted by July, we hope they will give us a transitional arrangement until March 2023,” she said. However, she noted that a transitional arrangement was not guaranteed.
In the event that a restraining order decision is If granted, CMMC will go through a 60-day public comment period and program requirements could be incorporated into contracts and acquisitions by May 2023.
“Our plan is for a phased rollout as before to ensure the CMMC ecosystem is ready and able to handle anyone requiring certification for a DOD-requested acquisition,” commented Bostjanick.
To learn more about the federal government’s cybersecurity initiatives, goals and plans, join the Potomac Officers Club Redesigning the cyber mindset around data collection, analysis and action forum on May 24th.
Ann Dunkin, Department of Energy Chief Information Officer, will deliver the forum’s keynote address and share her insights into the Department’s technology and cybersecurity priorities. Click here to register.